add setter for enable_pkp_bypass_etc

components/cronet/ios/test/cronet_pkp_test.mm

Index: components/cronet/ios/test/cronet_pkp_test.mm
diff --git a/components/cronet/ios/test/cronet_pkp_test.mm b/components/cronet/ios/test/cronet_pkp_test.mm
index 962a54ec18ecf486460998f7ce40613b299e7fcf..e0542949fba12df9cee77580c11e5ed3859dc8e8 100644
--- a/components/cronet/ios/test/cronet_pkp_test.mm
+++ b/components/cronet/ios/test/cronet_pkp_test.mm
@@ -78,6 +78,7 @@ class PkpTest : public CronetTestBase {
                             NSData* hash,
                             BOOL include_subdomains,
                             NSDate* expiration_date) {
+    [Cronet setEnablePublicKeyPinningBypassForLocalTrustAnchors:NO];
     NSSet* hashes = [NSSet setWithObject:hash];
     NSError* error;
     BOOL success = [Cronet addPublicKeyPinsForHost:host
@@ -141,6 +142,21 @@ TEST_F(PkpTest, TestSuccessIfPinMatches) {
   ASSERT_NO_FATAL_FAILURE(sendRequestAndAssertResult(request_url_, kSuccess));
 }
 
+TEST_F(PkpTest, TestBypass) {

[kapishnikov, 2017/06/28 03:42:32]

Can we add another test that tests behavior with the default bypass value? I am
afraid that if for some reason we change the default value, we may break
existing applications.

[lilyhoughton, 2017/06/28 14:38:51]

I don't know how to do this, since that would require running the test before
any of the tests which call the setter; and I don't think test-order is
guaranteed.

[kapishnikov, 2017/06/28 15:32:23]

I was thinking of creating the same test but without calling
[Cronet setEnablePublicKeyPinningBypassForLocalTrustAnchors:YES];

Let's assume that somebody in the future will change the definition of
BOOL gEnablePKPBypassForLocalTrustAnchors = YES; to 'NO' by mistake.
Since our PKP tests set the value explicitly, they will still continue passing
but the behavior will change and we will not detect it.

+  [Cronet setEnablePublicKeyPinningBypassForLocalTrustAnchors:YES];
+
+  NSSet* hashes = [NSSet setWithObject:NonMatchingHash()];
+  NSError* error;
+  BOOL success = [Cronet addPublicKeyPinsForHost:server_host_
+                                       pinHashes:hashes
+                               includeSubdomains:kExcludeSubdomains
+                                  expirationDate:(NSDate*)kDistantFuture
+                                           error:&error];
+
+  EXPECT_FALSE(success);
+  EXPECT_EQ([error code], CRNErrorIncoherentConfig);
+}
+
 // Tests the case when the pin hash does not match and the client accesses the
 // subdomain of the configured PKP host with includeSubdomains flag set to true.
 // The client is expected to receive the error response.